Are you planning an instance of personal data processing that may lead to high risk for the data subjects? If so, you must make a so-called impact assessment regarding data protection. Briefly, it is a matter of being foresighted, preventing risks and thereby protecting people's rights and freedoms. The aim is to minimise the risks in conjunction with such personal data processing that involves high risk.
About impact assessments
The purpose of an impact assessment is to prevent risks before they occur. You may need to make an impact assessment
- before you begin an instance of personal data processing
- if the risk associated with an ongoing instance of personal data processing changes
- in the case of ongoing personal data processing if you have not done so earlier.
The impact assessment is a process to
- determine what risks exist with processing personal data
- draw up procedures and measures to meet those risks
- demonstrate that the General Data Protection Regulation's requirements are complied with.
Start with a risk analysis
You must always make an impact assessment if your processing of personal data is likely to result in a high risk to individual people's rights and freedoms. But not everyone always needs to make an impact assessment:
- Analyse what risks your personal data processing may involve and suggest appropriate security measures. Document your findings so that you can demonstrate that you comply with the Regulation.
- On the basis of your risk analysis you then decide if you need to go further and make an impact assessment.
N.B. If in doubt, you should always make an impact assessment.
If you still consider that there is a high risk with the personal data processing, you must consult Swedish Authority for Privacy Protection before you may begin the processing.
N.B. Before you request prior consultation you must have made a thorough impact assessment that is well documented.
If the information in other languages are different from the Swedish version, it is the Swedish version that applies.